Implementation Guide 2060

Transcription

1 Implementation Guide 2060 Standard 2060 Reporting to Senior Management and the Board The chief audit executive must report periodically to senior management and the board on the internal audit activity s purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board. Interpretation: The frequency and content of reporting are determined collaboratively by the chief audit executive, senior management, and the board. The frequency and content of reporting depends on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management and/or the board. The chief audit executive s reporting and communication to senior management and the board must include information about: The audit charter. Independence of the internal audit activity. The audit plan and progress against the plan. Resource requirements. Results of audit activities. Conformance with the Code of Ethics and the Standards, and action plans to address any significant conformance issues. Management s response to risk that, in the chief audit executive s judgment, may be unacceptable to the organization. These and other chief audit executive communication requirements are referenced throughout the Standards. Revised Standards, Effective 1 January

2 Getting Started Communicating effectively with senior management and the board is an essential responsibility of the chief audit executive (CAE), and this standard brings together the CAE s primary reporting requirements referenced throughout the Standards. In implementing the standards related to communication, the CAE will usually want to understand the reporting-related expectations of senior management and the board, which may be stated in the audit committee charter. The three parties typically discuss and collaboratively determine the frequency and form of internal audit reporting and the reporting schedule that is most appropriate for the organization, as well as the importance and urgency of various types of audit information. It also may be helpful to agree in advance on protocols for the CAE to report important and urgent risk or control events and the related actions to be taken by senior management and the board. Additionally, the CAE may find it helpful to establish or review: The internal audit charter, including the internal audit activity s purpose, authority, responsibility. The internal audit plan and key performance indicators to measure the internal audit activity s progress toward accomplishing the plan. The quality assurance and improvement program, which gauges the internal audit activity s conformance with the Mandatory Guidance of the International Professional Practices Framework (IPPF). Processes for identifying significant risk and control issues. Considerations for Implementation While Standard 2060 allows flexibility in the frequency and content of reporting, it notes that these factors will depend on the importance of the information and the urgency with which senior management and/or the board might need to act on the communications. Additionally, some standards have specific requirements regarding frequency. For instance, items that must be communicated at least annually include the internal audit activity s organizational 2

3 independence (Standard 1110) and the results of ongoing monitoring of the internal audit activity s performance (Standard 1320). To maintain and track consistent and effective communication with senior management and the board, the CAE may consider using a checklist of all reporting requirements referenced throughout the Standards, which would the following topics: The internal audit charter. Organizational independence of the internal audit activity. Internal audit plans, resource requirements, and performance. Results of audit engagements. Quality assurance and improvement program. Conformance with the Code of Ethics and Standards. Significant risk and control issues, and management s acceptance of risk. Such a checklist may include a schedule of communications and reminders about any approval requirements. Establishing a standing item on the board meeting agenda secures an opportunity for the CAE to communicate regularly. The Internal Audit Charter According to Standard 1000 Purpose, Authority, and Responsibility, the internal audit activity s purpose, authority, and responsibility must be formally defined in the internal audit charter. The CAE is responsible for periodically reviewing the charter and presenting it to senior management and the board for approval. The Mission of Internal Audit and the mandatory elements of the IPPF, which are acknowledged in the internal audit charter, should also be discussed, according to Standard 1010 Recognizing Mandatory Guidance in the Internal Audit Charter. Organizational Independence of the Internal Audit Activity The organizational independence of the internal audit activity must be confirmed to the board annually, according to Standard 1110 Organizational Independence. In addition, any interference in determining the scope of internal auditing, performing work, or communicating 3

4 results as well as the implications of such interference must be disclosed to the board, according to Standard 1110.A1. An independent reporting relationship is essential to facilitate the CAE s ability to communicate directly with the board, as required in Standard 1111 Direct Interaction With the Board. Internal Audit Plans, Resource Requirements, and Performance Standard 2020 Communication and Approval and the related Implementation Guidance specifies the details of communicating the internal audit activity s plans and resource requirements. Standard 2060 adds the requirement to report the internal audit activity s performance relative to its plan. This is an opportunity for the CAE to illustrate the value enhanced and protected by the internal audit activity and the implementation of its recommendations. To quantify the level of performance, many CAEs use key performance indicators such as the percentage of the audit plan completed, percentage of audit recommendations that have been accepted or implemented, status of management s corrective actions, or average time taken to issue reports. In addition, updates on any special requests made by the board and/or senior management may be discussed during board meetings. Results of Audit Engagements The 2400 series of standards covers the requirements for communicating the results of audit engagements, including the information that engagement communications must contain, the quality of that information, and the protocol in the case of errors and omissions or nonconformance with the Code of Ethics or Standards that affects a specific engagement. Standard 2440 Disseminating Results discusses the CAE s responsibilities related to the final engagement communication, and Standard 2450 Overall Opinions describes the criteria for issuing an overall opinion. Quality Assurance and Improvement Program The 1300 series of standards cover the CAE s responsibility for developing and maintaining a quality assurance and improvement program that includes internal and external assessments. 4

5 Standard 1320 Reporting on the Quality Assurance and Improvement Program lists the requirements of the CAE s communication to senior management and the board, including that this reporting must occur as the assessments are completed. However, the results of ongoing monitoring of the internal audit activity s performance, which is part of the internal assessment process, must be reported at least annually. With regard to the external assessment of the internal audit activity, which must be conducted at least once every five years, Standard 1312 External Assessments requires the CAE to discuss with the board the qualifications and independence of the external assessor or assessment team, including any potential conflict of interest. The CAE should encourage board oversight in the external assessment to reduce perceived or potential conflicts of interest. Conformance With the Code of Ethics and Standards Standard 1320 Reporting on the Quality Assurance and Improvement Program and its Implementation Guidance also describe the details of reporting on the internal audit activity s conformance with the Code of Ethics and Standards. Standard 1322 Disclosure of Nonconformance states, When nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board. Standard 1322 also describes considerations for reporting nonconformance. Standard 2431 Engagement Disclosure of Nonconformance stipulates the information that must be disclosed when nonconformance impacts a specific engagement. In addition, Standard 2060 calls for the CAE to communicate action plans to address any significant issues related to conformance. Significant Risk and Control Issues and Management s Acceptance of Risk A primary purpose of CAE reporting is to provide assurance and advice to senior management and the board regarding the organization s governance (Standard 2110), risk management (Standard 2120), and controls (Standard 2130). An in-depth understanding of these processes can be obtained by implementing the 2100 series of standards. Standard 2060 identifies the 5

6 CAE s responsibility to report significant risk and control issues that could adversely affect the organization and its ability to achieve its objectives. Significant issues are those that would require the attention of senior management and the board, which may include conflicts of interest, control weaknesses, errors, fraud, illegal acts, ineffectiveness, and inefficiency. If the CAE believes that senior management has accepted a level of risk that the organization would consider unacceptable, the CAE should first discuss the matter with senior management. If the CAE and senior management cannot resolve the matter, Standard 2600 directs the CAE to communicate the matter to the board. If such issues are too urgent to wait until a scheduled board meeting (e.g., a major fraud), the CAE would be well advised to make arrangements to communicate sooner. Considerations for Demonstrating Conformance CAE discussions with senior management and the board regarding the contents of the charter, the internal audit activity s performance relative to the audit plan, and significant risk exposures or control issues may be documented in agendas and minutes of meetings with the board and senior management. Discussions amongst these parties may also be documented in reports and presentations with attached distribution lists. Minutes from ad hoc meetings and documentation of reports and other communications sent electronically may also demonstrate conformance with Standard Board and senior management survey results and CAE performance evaluations may contain feedback that indicates the quality and effectiveness of the CAE s communication related to this standard. The CAE may also maintain a communications checklist that documents the frequency of reporting and approval requirements. 6

7 About The IIA The Institute of Internal Auditors (The IIA) is the internal audit profession s most widely recognized advocate, educator, and provider of standards, guidance, and certifications. Established in 1941, The IIA today serves more than 180,000 members from more than 170 countries and territories. The association s global headquarters are in Lake Mary, Fla. For more information, visit or About Implementation Guidance Implementation Guidance, as part of The IIA s International Professional Practices Framework (IPPF ), provides recommended (non-mandatory) guidance for the internal audit profession. It is designed to assist both internal auditors and internal audit activities to enhance their ability to achieve conformance with the International Standards for the Professional Practice of Internal Auditing (Standards). Implementation Guides assist internal auditors in applying the Standards. They collectively address internal audit's approach, methodologies, and consideration, but do not detail processes or procedures. For other authoritative guidance materials provided by The IIA, please visit our website at or Disclaimer The IIA publishes this document for informational and educational purposes. This guidance material is not intended to provide definitive answers to specific individual circumstances and, as such, is only intended to be used as a guide. The IIA recommends that you always seek independent expert advice relating directly to any specific situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance. Copyright Copyright 2016 The Institute of Internal Auditors. For permission to reproduce, please contact guidance@theiia.org. 7